S
sn00py
Guest
[COLOR=rgba(30, 30, 30, 1)]Microsoft (R) Windows Debugger Version 10.0.21306.1007 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
Symbol search path is: srv*
Executable search path is:
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0x1
C:\ProgramData\Dbg\sym
ntoskrnl.exe
D3F646971046000
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - OK
DBGENG: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x2
C:\ProgramData\Dbg\sym
ntkrnlmp.pdb
3FCC539FF307DD2D9C509206D352B9AA1
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`5b200000 PsLoadedModuleList = 0xfffff806`5be2a490
Debug session time: Mon Mar 15 20:16:40.412 2021 (UTC - 4:00)
System Uptime: 1 days 10:50:57.065
SYMSRV: BYINDEX: 0x3
C:\ProgramData\Dbg\sym
ntoskrnl.exe
D3F646971046000
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - OK
DBGENG: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x4
C:\ProgramData\Dbg\sym
ntkrnlmp.pdb
3FCC539FF307DD2D9C509206D352B9AA1
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..........................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000d2`a5a94018). Type ".hh dbgerr001" for details
Loading unloaded module list
.................................................
For analysis of this file, run [/COLOR][COLOR=rgba(0, 0, 255, 1)]!analyze -v
[/COLOR][COLOR=rgba(30, 30, 30, 1)]nt!KeBugCheckEx:
fffff806`5b5f5c50 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff988`05eadb10=0000000000000139
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000000e, Type of memory safety violation
Arg2: fffff98805eade30, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff98805eadd88, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
SYMSRV: BYINDEX: 0x9
C:\ProgramData\Dbg\sym
win32k.sys
E87370BB9a000
SYMSRV: PATH: C:\ProgramData\Dbg\sym\win32k.sys\E87370BB9a000\win32k.sys
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\win32k.sys\E87370BB9a000\win32k.sys - OK
DBGENG: C:\ProgramData\Dbg\sym\win32k.sys\E87370BB9a000\win32k.sys - Mapped image memory
SYMSRV: BYINDEX: 0xA
C:\ProgramData\Dbg\sym
win32k.pdb
ED706A38659240A066E6FB19B994BAAA1
SYMSRV: PATH: C:\ProgramData\Dbg\sym\win32k.pdb\ED706A38659240A066E6FB19B994BAAA1\win32k.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: win32k - public symbols
C:\ProgramData\Dbg\sym\win32k.pdb\ED706A38659240A066E6FB19B994BAAA1\win32k.pdb
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4312
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 4446
Key : Analysis.Init.CPU.mSec
Value: 499
Key : Analysis.Init.Elapsed.mSec
Value: 3940
Key : Analysis.Memory.CommitPeak.Mb
Value: 78
Key : FailFast.Name
Value: INVALID_REFERENCE_COUNT
Key : FailFast.Type
Value: 14
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 139
BUGCHECK_P1: e
BUGCHECK_P2: fffff98805eade30
BUGCHECK_P3: fffff98805eadd88
BUGCHECK_P4: 0
TRAP_FRAME: fffff98805eade30 -- [/COLOR][COLOR=rgba(0, 0, 255, 1)](.trap 0xfffff98805eade30)
[/COLOR][COLOR=rgba(30, 30, 30, 1)]NOTE: The trap frame does not contain all registers.
[/COLOR][COLOR=rgba(0, 0, 255, 1)]Some register values may be zeroed or incorrect.
[/COLOR][COLOR=rgba(30, 30, 30, 1)]rax=ffffa20802655050 rbx=0000000000000000 rcx=000000000000000e
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80660731df4 rsp=fffff98805eadfc8 rbp=ffffdc0beebd2040
r8=ffffdc0c0c04b9d0 r9=fffff98805eae980 r10=0000000000000000
r11=fffff98805eadf60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
LXCORE!LxpSyscall_SCHED_SETSCHEDULER+0x94:
fffff806`60731df4 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff98805eadd88 -- [/COLOR][COLOR=rgba(0, 0, 255, 1)](.exr 0xfffff98805eadd88)
[/COLOR][COLOR=rgba(30, 30, 30, 1)]ExceptionAddress: fffff80660731df4 (LXCORE!LxpSyscall_SCHED_SETSCHEDULER+0x0000000000000094)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000000e
Subcode: 0xe FAST_FAIL_INVALID_REFERENCE_COUNT
BLACKBOXBSD: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxbsd[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXNTFS: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxntfs[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXPNP: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxpnp[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXWINLOGON: 1
PROCESS_NAME: backgroundTaskHost.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000000e
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffff988`05eadb08 fffff806`5b607b69 : 00000000`00000139 00000000`0000000e fffff988`05eade30 fffff988`05eadd88 : nt!KeBugCheckEx
fffff988`05eadb10 fffff806`5b607f90 : fffff988`05eae130 fffff988`05eae11c ffffdc0b`fedc6880 ffffdc0b`ff8c7a68 : nt!KiBugCheckDispatch+0x69
fffff988`05eadc50 fffff806`5b606323 : 00000000`00000000 fffff988`05ea9000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
fffff988`05eade30 fffff806`60731df4 : fffff806`61004b68 ffffa208`03bb971c ffffa208`02655050 ffffa207`fa6c9c01 : nt!KiRaiseSecurityCheckFailure+0x323
fffff988`05eadfc8 fffff988`05eae0d0 : fffff988`05eae0d0 00000000`00000000 00000000`00000000 00000000`00000000 : LXCORE!LxpSyscall_SCHED_SETSCHEDULER+0x94
fffff988`05eae0d8 fffff988`05eae0d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff988`05eae0d0
fffff988`05eae0e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff988`05eae0d0
SYMBOL_NAME: LXCORE!LxpSyscall_SCHED_SETSCHEDULER+94
MODULE_NAME: [/COLOR][COLOR=rgba(0, 0, 255, 1)]LXCORE
[/COLOR][COLOR=rgba(30, 30, 30, 1)]IMAGE_NAME: LXCORE.SYS
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 94
FAILURE_BUCKET_ID: 0x139_e_INVALID_REFERENCE_COUNT_LXCORE!LxpSyscall_SCHED_SETSCHEDULER
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {7914fe9b-3019-bfb1-077f-959440cca2a2}
Followup: MachineOwner
---------
[/COLOR]
Continue reading...
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\WINDOWS\MEMORY.DMP]
Kernel Bitmap Dump File: Kernel address space is available, User address space may not be available.
************* Path validation summary **************
Response Time (ms) Location
Deferred srv*
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
Symbol search path is: srv*
Executable search path is:
DBGHELP: Symbol Search Path: cache*;SRV*Symbol information
SYMSRV: BYINDEX: 0x1
C:\ProgramData\Dbg\sym
ntoskrnl.exe
D3F646971046000
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - OK
DBGENG: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x2
C:\ProgramData\Dbg\sym
ntkrnlmp.pdb
3FCC539FF307DD2D9C509206D352B9AA1
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
Windows 10 Kernel Version 19041 MP (8 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Edition build lab: 19041.1.amd64fre.vb_release.191206-1406
Machine Name:
Kernel base = 0xfffff806`5b200000 PsLoadedModuleList = 0xfffff806`5be2a490
Debug session time: Mon Mar 15 20:16:40.412 2021 (UTC - 4:00)
System Uptime: 1 days 10:50:57.065
SYMSRV: BYINDEX: 0x3
C:\ProgramData\Dbg\sym
ntoskrnl.exe
D3F646971046000
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - OK
DBGENG: C:\ProgramData\Dbg\sym\ntoskrnl.exe\D3F646971046000\ntoskrnl.exe - Mapped image memory
SYMSRV: BYINDEX: 0x4
C:\ProgramData\Dbg\sym
ntkrnlmp.pdb
3FCC539FF307DD2D9C509206D352B9AA1
SYMSRV: PATH: C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: nt - public symbols
C:\ProgramData\Dbg\sym\ntkrnlmp.pdb\3FCC539FF307DD2D9C509206D352B9AA1\ntkrnlmp.pdb
Loading Kernel Symbols
...............................................................
................................................................
................................................................
..........................
Loading User Symbols
PEB is paged out (Peb.Ldr = 000000d2`a5a94018). Type ".hh dbgerr001" for details
Loading unloaded module list
.................................................
For analysis of this file, run [/COLOR][COLOR=rgba(0, 0, 255, 1)]!analyze -v
[/COLOR][COLOR=rgba(30, 30, 30, 1)]nt!KeBugCheckEx:
fffff806`5b5f5c50 48894c2408 mov qword ptr [rsp+8],rcx ss:0018:fffff988`05eadb10=0000000000000139
0: kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 000000000000000e, Type of memory safety violation
Arg2: fffff98805eade30, Address of the trap frame for the exception that caused the bugcheck
Arg3: fffff98805eadd88, Address of the exception record for the exception that caused the bugcheck
Arg4: 0000000000000000, Reserved
Debugging Details:
------------------
SYMSRV: BYINDEX: 0x9
C:\ProgramData\Dbg\sym
win32k.sys
E87370BB9a000
SYMSRV: PATH: C:\ProgramData\Dbg\sym\win32k.sys\E87370BB9a000\win32k.sys
SYMSRV: RESULT: 0x00000000
DBGHELP: C:\ProgramData\Dbg\sym\win32k.sys\E87370BB9a000\win32k.sys - OK
DBGENG: C:\ProgramData\Dbg\sym\win32k.sys\E87370BB9a000\win32k.sys - Mapped image memory
SYMSRV: BYINDEX: 0xA
C:\ProgramData\Dbg\sym
win32k.pdb
ED706A38659240A066E6FB19B994BAAA1
SYMSRV: PATH: C:\ProgramData\Dbg\sym\win32k.pdb\ED706A38659240A066E6FB19B994BAAA1\win32k.pdb
SYMSRV: RESULT: 0x00000000
DBGHELP: win32k - public symbols
C:\ProgramData\Dbg\sym\win32k.pdb\ED706A38659240A066E6FB19B994BAAA1\win32k.pdb
KEY_VALUES_STRING: 1
Key : Analysis.CPU.mSec
Value: 4312
Key : Analysis.DebugAnalysisManager
Value: Create
Key : Analysis.Elapsed.mSec
Value: 4446
Key : Analysis.Init.CPU.mSec
Value: 499
Key : Analysis.Init.Elapsed.mSec
Value: 3940
Key : Analysis.Memory.CommitPeak.Mb
Value: 78
Key : FailFast.Name
Value: INVALID_REFERENCE_COUNT
Key : FailFast.Type
Value: 14
Key : WER.OS.Branch
Value: vb_release
Key : WER.OS.Timestamp
Value: 2019-12-06T14:06:00Z
Key : WER.OS.Version
Value: 10.0.19041.1
BUGCHECK_CODE: 139
BUGCHECK_P1: e
BUGCHECK_P2: fffff98805eade30
BUGCHECK_P3: fffff98805eadd88
BUGCHECK_P4: 0
TRAP_FRAME: fffff98805eade30 -- [/COLOR][COLOR=rgba(0, 0, 255, 1)](.trap 0xfffff98805eade30)
[/COLOR][COLOR=rgba(30, 30, 30, 1)]NOTE: The trap frame does not contain all registers.
[/COLOR][COLOR=rgba(0, 0, 255, 1)]Some register values may be zeroed or incorrect.
[/COLOR][COLOR=rgba(30, 30, 30, 1)]rax=ffffa20802655050 rbx=0000000000000000 rcx=000000000000000e
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80660731df4 rsp=fffff98805eadfc8 rbp=ffffdc0beebd2040
r8=ffffdc0c0c04b9d0 r9=fffff98805eae980 r10=0000000000000000
r11=fffff98805eadf60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz na po nc
LXCORE!LxpSyscall_SCHED_SETSCHEDULER+0x94:
fffff806`60731df4 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: fffff98805eadd88 -- [/COLOR][COLOR=rgba(0, 0, 255, 1)](.exr 0xfffff98805eadd88)
[/COLOR][COLOR=rgba(30, 30, 30, 1)]ExceptionAddress: fffff80660731df4 (LXCORE!LxpSyscall_SCHED_SETSCHEDULER+0x0000000000000094)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 000000000000000e
Subcode: 0xe FAST_FAIL_INVALID_REFERENCE_COUNT
BLACKBOXBSD: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxbsd[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXNTFS: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxntfs[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXPNP: 1 ([/COLOR][COLOR=rgba(0, 0, 255, 1)]!blackboxpnp[/COLOR][COLOR=rgba(30, 30, 30, 1)])
BLACKBOXWINLOGON: 1
PROCESS_NAME: backgroundTaskHost.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 000000000000000e
EXCEPTION_STR: 0xc0000409
STACK_TEXT:
fffff988`05eadb08 fffff806`5b607b69 : 00000000`00000139 00000000`0000000e fffff988`05eade30 fffff988`05eadd88 : nt!KeBugCheckEx
fffff988`05eadb10 fffff806`5b607f90 : fffff988`05eae130 fffff988`05eae11c ffffdc0b`fedc6880 ffffdc0b`ff8c7a68 : nt!KiBugCheckDispatch+0x69
fffff988`05eadc50 fffff806`5b606323 : 00000000`00000000 fffff988`05ea9000 00000000`00000000 00000000`00000000 : nt!KiFastFailDispatch+0xd0
fffff988`05eade30 fffff806`60731df4 : fffff806`61004b68 ffffa208`03bb971c ffffa208`02655050 ffffa207`fa6c9c01 : nt!KiRaiseSecurityCheckFailure+0x323
fffff988`05eadfc8 fffff988`05eae0d0 : fffff988`05eae0d0 00000000`00000000 00000000`00000000 00000000`00000000 : LXCORE!LxpSyscall_SCHED_SETSCHEDULER+0x94
fffff988`05eae0d8 fffff988`05eae0d0 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff988`05eae0d0
fffff988`05eae0e0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0xfffff988`05eae0d0
SYMBOL_NAME: LXCORE!LxpSyscall_SCHED_SETSCHEDULER+94
MODULE_NAME: [/COLOR][COLOR=rgba(0, 0, 255, 1)]LXCORE
[/COLOR][COLOR=rgba(30, 30, 30, 1)]IMAGE_NAME: LXCORE.SYS
STACK_COMMAND: .thread ; .cxr ; kb
BUCKET_ID_FUNC_OFFSET: 94
FAILURE_BUCKET_ID: 0x139_e_INVALID_REFERENCE_COUNT_LXCORE!LxpSyscall_SCHED_SETSCHEDULER
OS_VERSION: 10.0.19041.1
BUILDLAB_STR: vb_release
OSPLATFORM_TYPE: x64
OSNAME: Windows 10
FAILURE_ID_HASH: {7914fe9b-3019-bfb1-077f-959440cca2a2}
Followup: MachineOwner
---------
[/COLOR]
Continue reading...